b'Pension Benefit Guaranty Corporation\n\n     Office of Inspector General\n            Audit Report\n\n\n\n\n         Fiscal Year 1998\n    Financial Statement Audit -\n       Management Report\n\n\n\n\n          September 23, 1999\n                                   99-8/23132-3\n\x0c                Audit of PBGC\xe2\x80\x99s Fiscal Year 1998 Financial Statements\n                                 Management Letter\n                                    99-8/23132-3\n\n\n                               TABLE OF CONTENTS\n\n\n\n\nAbbreviations                                                             ii\n\nExecutive Summary                                                         iii\n\nManagement Response and OIG Evaluation                                    iv\n\nIntroduction                                                              1\n\nAudit Objectives                                                          1\n\nScope and Methodology                                                     2\n\nAudit Results                                                             2\n\nFindings and Recommendations                                              3\n\nCurrent Year Findings and Recommendations                                 6\n\nStatus of Prior Year Findings and Recommendations                         19\n\n\n\n                                        TAB\n\n\nManagement Response Memorandum                                          TAB I\n\n\n\n\n                                         -i-\n\x0c        Audit of PBGC\xe2\x80\x99s Fiscal Year 1998 Financial Statements\n                         Management Letter\n                            99-8/23132-3\n\n\n\n\n                        ABBREVIATIONS\n\n\n\nAICPA   American Institute of Certified Public Accountants\nEIA     Earned Income Accrual\nERISA   Employee Retirement Income Security Act of 1974\nFAM     Financial Audit Manual\nFBA     Field Benefit Administrator\nFMFIA   Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\nFOD     Financial Operations Department\nFY      Fiscal Year\nGAAP    Generally Accepted Accounting Principles\nGAO     General Accounting Office\nIDL     Initial Determination Letter\nIOD     Insurance Operations Department\nIPS     Image Processing System\nIPVFB   Integrated Present Value of Future Benefits\nIRMD    Information Resources Management Department\nLAN     Local Area Network\nOED     Office of the Executive Director\nOIG     Office of Inspector General\nOMB     Office of Management and Budget\nPAIB    Premium Audit and Investigation Branch\nPAS     Premium Accounting System\nPLUS    Pension and Lump Sum System\nPBGC    Pension Benefit Guaranty Corporation\nPCR     Premium Compliance Reviews\nPDFN    Past Due Filing Notices\nPRISM   Participant Records Information Systems Management\nPVFB    Present Value of Future Benefits\nSOA     Statements of Account\nSSA     Social Security Administration\nSSB     State Street Bank and Trust Company\n\n\n\n\n                                -ii-\n\x0c                  Audit of PBGC\xe2\x80\x99s Fiscal Year 1998 Financial Statements\n                                   Management Letter\n                                      99-8/23132-3\n\n                                    EXECUTIVE SUMMARY\n\n       PricewaterhouseCoopers LLP (PricewaterhouseCoopers) was engaged by the Office of\nInspector General (OIG) of the Pension Benefit Guaranty Corporation (PBGC or the\nCorporation) to conduct an audit of the financial statements of the Single-Employer and\nMultiemployer Program Funds administered by PBGC, as of and for the years ended September\n30, 1998 and 1997. As presented in OIG Audit Report 99-7/23132-2, PricewaterhouseCoopers\nissued an unqualified opinion on the statements of financial condition and the related\nstatements of operations and changes in net position and statements of cash flows. The report\non PBGC\xe2\x80\x99s compliance with laws and regulations stated that the results of our tests disclosed\nno instances of non-compliance that are required to be reported under Government Auditing\nStandards, or the methodology set forth by the United States General Accounting Office\xe2\x80\x99s\n(GAO) Financial Audit Manual (FAM).\n\n        However, we noted certain matters involving internal control and its operation that we\nconsider to be reportable conditions under standards established by the American Institute of\nCertified Public Accountants (AICPA). None of the reportable conditions was believed by us to\nbe material weaknesses as defined by the AICPA. The reportable conditions we noted were:\nPBGC needs to integrate its financial management systems and improve its systems\ndevelopment life cycle methodology; PBGC needs to finalize and test its plan for maintaining\ncontinuity of operations; and PBGC needs to implement and improve controls surrounding the\nParticipant Records Information Systems Management (PRISM) application. The detailed\nfindings and recommendations related to the PRISM reportable condition are presented in\nSection 3 of this report.\n\n        This management report discusses findings and recommendations for improvements in\nthe Corporation\xe2\x80\x99s internal control that were identified during our audit of the fiscal year 1998\nfinancial statements. It contains 17 findings, which resulted in 24 recommendations that,\nalthough not considered material weaknesses, are serious enough to bring to management\xe2\x80\x99s\nattention. PBGC should implement the recommendations to strengthen its internal control. A\nmajority of the findings are reported in three categories: lack of adequate controls over financial\nreporting, lack of compliance with PBGC\xe2\x80\x99s policies and procedures, and lack of adequate\ncontrols surrounding the PRISM application. In addition, in the section entitled \xe2\x80\x9cPrior-Year\nFindings and Recommendations," we have summarized the status of prior year audit\nrecommendations included in OIG Audit Report Numbers 97-4/23110-2 and 97-23/23110-3, as\nof September 30, 1998. Recommendations that were deemed \xe2\x80\x9ccompleted\xe2\x80\x9d in prior years have\nnot been carried forward.\n\n\n\n\n                                                -iii-\n\x0cMANAGEMENT RESPONSE AND OIG EVALUATION\n\n      PBGC management was provided a draft copy of this report for review and comment.\nWe met with PBGC officials several times to discuss the impact of the report\xe2\x80\x99s findings and\nrecommendations and provide greater detail from our fieldwork. After these discussions, the\nOIG removed from the draft report one finding related to eliminated or corrected premium\nStatements of Account. The OIG has incorporated several editorial changes suggested by\nPBGC management.\n\n        PBGC management commented on the Report and concurred \xe2\x80\x9cwith its\nrecommendations except for one item.\xe2\x80\x9d Their comments are at Tab I. PBGC disagreed with the\nsecond recommendation of Finding 2.1 which states that PBGC should \xe2\x80\x9cmodify existing\nInsurance Operations Department (IOD) procedures to require retention of source\ndocumentation generated as a result of the participant data audits and used to calculate\nbenefit payments and value the PVFB liability.\xe2\x80\x9d\n\n        In their response, PBGC stated that current IOD procedures indeed \xe2\x80\x9crequire that source\ndocumentation is to be maintained to support participant data audits, the calculation of benefit\npayments, and the valuation of the Present Value of Future Benefits (PVFB) liability.\xe2\x80\x9d However,\nthe IOD Manual Section 12.5, \xe2\x80\x9cPerform Source Documentation Audit,\xe2\x80\x9d clearly instructs IOD\npersonnel to retain source documentation obtained from prior sponsors of terminated plans\nonly for a sample of participants. This documentation consists of several sample files for each\ncategory of participants and is used to analyze the data gathered in the field. IOD\xe2\x80\x99s collection\nand retention of only a sample of participant data may not be adequate in the future to provide\na proper audit trail to support benefit calculations and the PVFB liability. Proper audit trails\nhave been historically material to PBGC\xe2\x80\x99s financial statements as a whole. In addition,\nthroughout the IOD Manual a completeness of the participants\xe2\x80\x99 files is emphasized and\nencouraged. Complete documentation is the cornerstone for providing a proper audit trail to\nsupport data elements used to calculate benefits, and in turn, the PVFB liability. Failure to\ncapture full and complete participant data could ultimately affect the overall financial\nstatement opinions, including internal controls, in the future.\n\n       In addition, PBGC stated that this recommendation is \xe2\x80\x9cpending further discussions\nbetween OIG and IOD.\xe2\x80\x9d While we are available to discuss the changes we believe are needed to\nIOD\xe2\x80\x99s Manual, whether the Manual must be modified is not in question. Even though PBGC\nhas disagreed with a report recommendation, some modification to IOD\xe2\x80\x99s Manual will be\nnecessary to resolve noted inconsistencies in IOD\xe2\x80\x99s Manual and to repair a damaged audit trail\nthat currently is capturing incomplete participant data.\n\n\n\n\n                                               -iv-\n\x0c                 Audit of PBGC\xe2\x80\x99s Fiscal Year 1998 Financial Statements\n                                 Management Letter\n                                    99-8/23132-3\nIntroduction\n\n       As a government corporation created by Title IV of the Employee Retirement Income\nSecurity Act of 1974 (ERISA), the Pension Benefit Guaranty Corporation (PBGC or the\nCorporation) protects the pensions of more than 42 million Americans in approximately\n44,000 private defined benefit pension plans, including about 2,000 multiemployer plans.\nPBGC\xe2\x80\x99s mission is to operate as a service-oriented, professionally managed agency that\nprotects participants\xe2\x80\x99 benefits and supports a healthy retirement plan system by: (1)\nencouraging the continuation and maintenance of private pension plans; (2) protecting\npension benefits in ongoing plans; (3) providing timely payments of benefits in the case of\nterminated pension plans; and (4) making the maximum use of resources and maintaining\npremiums and operating costs at the lowest levels consistent with statutory responsibilities.\nPBGC finances its operations through premiums collected from covered plans, assets\nassumed from terminated plans, collection of employer liability payments due under ERISA,\nas amended, and investment income. In addition, PBGC may borrow up to $100 million from\nthe United States Department of the Treasury to finance its operations. To date, this\nborrowing authority has not been exercised.\n\nAudit Objectives\n\nThe objectives of our audit were to determine whether:\n\n\xe2\x80\xa2   The financial statements present fairly, in all material respects, the financial position of\n    the Single-Employer and Multiemployer Program Funds administered by PBGC as of\n    September 30, 1998, and September 30, 1997, and the results of their operations and\n    cash flows for the years then ended, in conformity with generally accepted accounting\n    principles (GAAP).\n\n\xe2\x80\xa2   Management\xe2\x80\x99s assertion that PBGC\xe2\x80\x99s controls in effect as of September 30, 1998, provided\n    reasonable assurance that assets were safeguarded from material loss and transactions\n    were executed in accordance with management\xe2\x80\x99s authority and with significant\n    provisions of selected laws and regulations, and furthermore, that PBGC controls provide\n    reasonable assurance that transactions were properly recorded, processed, and\n    summarized to permit the preparation of the financial statements in accordance with\n    generally accepted accounting principles and to maintain accountability for assets among\n    funds is fairly stated, in all material respects, based upon criteria contained in the Federal\n    Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA). This assertion is included in the\n    Management\xe2\x80\x99s Discussion and Analysis of Financial Condition and Results of Operations\n    section of PBGC\xe2\x80\x99s Fiscal Year (FY) 1998 Annual Report to the Congress.\n\n\xe2\x80\xa2   PBGC is in compliance with significant provisions of applicable laws and regulations.\n\n\n                                                1\n\x0cScope and Methodology\n\n       PricewaterhouseCoopers LLP (PricewaterhouseCoopers) was engaged by the Office of\nInspector General (OIG) of PBGC to conduct an audit of the financial statements of the\nSingle-Employer and Multiemployer Program Funds administered by PBGC as of and for the\nyears ended September 30, 1998, and September 30, 1997.\n\n        Our audit was performed in accordance with standards established by the American\nInstitute of Certified Public Accountants (AICPA), Government Auditing Standards, and\npursuant to the methodology set forth by the United States General Accounting Office\xe2\x80\x99s\n(GAO) Financial Audit Manual (FAM). Those standards require that we plan and perform the\naudit to obtain reasonable assurance about whether the financial statements are free of\nmaterial misstatement.\n\n        An audit of financial statements conducted in accordance with generally accepted\nauditing standards, Government Auditing Standards issued by the Comptroller General of the\nUnited States, and the methodology set forth by GAO\xe2\x80\x99s FAM is not designed to detect\nwhether PBGC\xe2\x80\x99s systems are Year 2000 ready. Furthermore, we have no responsibility with\nregard to PBGC\xe2\x80\x99s efforts to make its systems, or any other systems, such as those of PBGC\xe2\x80\x99s\nvendors, service providers, or any other third parties, Year 2000 ready and no responsibility\nto provide assurance on whether PBGC has addressed or will be able to address all of the\naffected systems on a timely basis. These are the responsibilities of PBGC\xe2\x80\x99s management.\n\n       We performed tests of the accounting records and such other auditing procedures, as\nwe considered necessary in the circumstances. This involved performing tests at PBGC, the\nState Street Bank (SSB), two investment manager sites, and two Field Benefit Administrator\n(FBA) sites. We did not perform tests related to standard terminations or other areas not\nhaving a direct and material effect on the financial statements.\n\nAudit Results\n\n       As a result of our FY 1998 audit, we issued the following reports:\n\n       (a) an unqualified opinion on PBGC\xe2\x80\x99s statements of financial condition, and the\n           related statements of operations and changes in net position and statements of\n           cash flows, as of and for the years ended September 30, 1998, and September 30,\n           1997 (OIG report number 99-7/23132-2);\n\n       (b) a report on PBGC\xe2\x80\x99s compliance with laws and regulations that noted no instances\n           of non-compliance with the provisions tested; and\n\n       (c) a report on internal control that identified three reportable conditions, one of\n           which is recurring. These reportable conditions were not deemed to be material\n           weaknesses as defined by standards established by AICPA.\n\n\n                                              2\n\x0c        Our FY 1998 report on internal control disclosed the reportable condition related to\nthe lack of integration of the Corporation\xe2\x80\x99s financial management systems, including the\nneed for an adequate systems development life cycle methodology and the need for adequate\nsystems development monitoring and oversight. This reportable condition was also reported\nin FYs 1997 and 1996. During FY 1998, PBGC made some progress in addressing the issue.\nHowever, additional work is required to ensure that PBGC\xe2\x80\x99s financial management systems\nare integrated, the formal systems development life cycle methodology is implemented, and\nspecific criteria allowing the Corporation to effectively monitor systems outsourcing are\nidentified and followed.\n\n       Two new reportable conditions identified in our FY 1998 report on internal control\nwere: PBGC needs to finalize and test its plan for maintaining continuity of operations and\nPBGC needs to implement and improve controls surrounding the Participant Records\nInformation Systems Management (PRISM) application.\n\n        In addition to the reportable conditions specified above, during our FY 1998 audit, we\nidentified a number of internal control weaknesses that, although not considered material\nweaknesses or reportable conditions, we believe warrant the attention of management. This\nmanagement report summarizes our findings and recommendations for improvement in the\nCorporation\xe2\x80\x99s internal control.\n\nFindings and Recommendations\n\n        This report contains 17 findings from our FY 1998 testing which resulted in 24\nrecommendations that PBGC should implement to strengthen the Corporation\xe2\x80\x99s internal\ncontrol. Additionally, in the section entitled "Prior-Year Findings and Recommendations," we\nhave summarized the status of prior-year audit recommendations included in OIG Audit\nReport Numbers 97-4/23110-2 and 97-23/23110-3, as of September 30, 1998.\n\n       The remainder of this report is comprised of the following:\n\n\xe2\x80\xa2   A table listing our current year recommendations (Pages 4-5) .\n\xe2\x80\xa2   A discussion of each current year finding and corresponding recommendation(s)\n    (Pages 6-19).\n\xe2\x80\xa2   A table listing each of the outstanding prior year findings and their status as of\n    September 30, 1998 (Pages 19-21).\n\n\n\n\n                                               3\n\x0c                           Summary of Current Year Recommendations\n\n                                    Recommendation                                             Page\n                                                                                               Number\n1. Enhance financial reporting controls surrounding PAS to improve the system\xe2\x80\x99s ability to        7\naccurately track premiums receivable on a plan basis. (FOD-274)\n2. Analyze the existing year-end processes surrounding PAS and identify improvements that        7\nwill reduce the necessity of manual adjustments, validity testing, and reclassifications at\nyear-end. (FOD-275)\n3. Enforce existing IOD policies and procedures requiring that participants\xe2\x80\x99 files contain       8\ncomplete information critical for the benefit payments and the PVFB liability calculation.\n(IOD-169)\n4. Modify existing IOD procedures to require retention of source documentation generated as      8\na result of the participant data audits and used to calculate benefit payments and value the\nPVFB liability. (Disagreed-1)\n5. Develop, implement, and enforce consistent procedures for reinstating participants into       9\npay status. (IOD-170)\n6. Enforce policies and procedures related to the maintenance of plan file documentation at      9\nthe FBAs and headquarters. (IOD-171)\n7. Require all premium compliance reviews to be performed, documented, and approved in           10\naccordance with PBGC\xe2\x80\x99s Premium Compliance Review Procedures Manual. (FOD-276)\n8. Develop and implement formal procedures for closing premium compliance reviews in             10\nprogress prior to completion. (FOD-277)\n9. Develop and implement accounting procedures for recording the results of PCR into PAS at      11\nthe point the debt is determined. (FOD-227)\n10. PBGC needs to enhance the change control process used in maintaining and supporting          12\nits application systems and include it as part of the overall System Development Life Cycle\ncurrently being developed. (IRMD-108)\n11. PBGC needs to develop and formalize criteria for assessing business and information          12\ntechnology risks that can be used internally and for contractors performing independent\nreviews. (IRMD-109)\n12. Enforce policies and procedures that require participants\xe2\x80\x99 records in PRISM contain          13\ninformation that is adequately supported in IPS. (IOD-172)\n13. Enforce existing policies and procedures related to the information that should be           14\ncaptured by FBAs in the participants\xe2\x80\x99 records in PRISM. (IOD-173)\n14. Maintain an adequate audit trail of decisions affecting the integrity of participants\xe2\x80\x99       14\ndata. (IOD-174)\n15. Delete invalid duplicate participant records in PRISM and implement necessary controls       14\nto prevent the creation of duplicate records in future processing. (IOD-175)\n\n\n                                               4\n\x0c                           Summary of Current Year Recommendations\n\n                                    Recommendation                                              Page\n                                                                                                Number\n16. Apply transactions to participants\xe2\x80\x99 records in PRISM properly and timely. (IOD-176)           15\n\n17. Properly authorize special check payments in accordance with authorization thresholds         15\nestablished by PBGC. (IOD-177)\n18. Develop and implement formal reconciliation procedures that require the reconciling items     16\nbetween PRISM and PLUS records be resolved timely and their resolution be sufficiently\ndocumented. (IOD-178)\n19. Require formal managerial review and approval of reconciliations between PLUS and             16\nPRISM. (IOD-179)\n20. Implement the deathmatch controls. (IOD-180)                                                  16\n\n21. Establish a formal reconciliation process for the plans assumed from the prior paying         17\nagents whereby reconciliations are reviewed and approved by an appropriate level of\nmanagement. (IOD-181)\n22. PBGC should include in its development of a formal systems development life cycle             18\nmethodology policies and procedures that address adequate controls for the segregation of\nfunctions performed in the development and production environments. (IRMD-110)\n23. PBGC should include in its development of a formal systems development life cycle             18\nmethodology policies and procedures that implement and enforce adequate monitoring\ncontrols for significant activities performed by individuals and/or systems. (IRMD-111)\n24. PBGC should implement policies and procedures that would control the assignment of            19\nexcessive responsibilities, including the development of adequate monitoring of activities\nperformed by individuals and/or systems. (IOD-182)\n\n\n\n\n                                               5\n\x0cCurrent Year Findings and Recommendations\n\n1.     CONTROLS OVER FINANCIAL REPORTING\n       REQUIRED STRENGTHENING.\n\n        Financial statement reliability is dependent on maintaining adequate and\nfunctioning accounting controls. An internal control is a set of policies and procedures\nestablished and maintained by management in order to meet its internal control objectives.\nThe objectives of internal control generally include but are not limited to (a) adherence to\nmanagement\xe2\x80\x99s policies and procedures, (b) the safeguarding of assets, and (c) the accuracy\nand completeness of the accounting records. Adequate internal control can reduce the risk\nthat financial statements contain material misstatements. During our FY 1998 testing, we\nidentified several control weakness issues related to financial reporting that require PBGC\nmanagement\xe2\x80\x99s attention.\n\n1.1    Premium receivable balance was generated\n       by the Premium Accounting System (PAS)\n       using incorrect data.\n\n       PBGC uses information contained on Statements of Account (SOAs), Past Due Filing\nNotices (PDFNs) and Earned Income Accrual (EIA) balances to generate its year-end premiums\nreceivable balance. During our FY 1998 testing, we found instances when SOAs and EIAs\nbalances were misstated due to incorrect plan data.\n\n        When a plan underpays or submits an incomplete or a late filing form, PAS generates\na SOA. This statement has a direct financial statement impact, as it represents a premium\nreceivable. Additionally, EIA, an accrual for income earned but not yet due, makes up a\nportion of the Corporation\xe2\x80\x99s receivable balance. Our FY 1998 testing identified instances\nwhen PAS generated SOAs for plans that did not owe money to PBGC. Furthermore, we\nidentified instances when PBGC accrued earned income using incorrect plan data\nmaintained on PAS. Accordingly, the individual plan receivable balances generated as a\nresult were inaccurate.\n\n         If a plan does not submit a timely premium filing form, PAS generates a PDFN that\nshould be mailed to the plan sponsor as a reminder that the payment is due. A PDFN also\nallows PAS to track all plans that have not filed on time and represents an important control\nover completeness of premiums receivable. During our FY 1998 testing, we noted that PDFNs\nwere generated on a test basis for plans that did not file in FY 1997 and were not mailed to\nlate filers. As a result, PBGC used another method to ensure the completeness of premiums\nreceivable. If the Corporation cannot accurately and completely account for receivables on a\nplan basis, the amounts reported in the financial statements may be potentially misstated.\n\n\n\n\n                                              6\n\x0c                                          Recommendation\n\nWe recommend the following corrective action:\n\n       Enhance financial reporting controls surrounding PAS to improve the system\xe2\x80\x99s ability\n       to accurately track premiums receivable on a plan basis. (FOD-274)\n\n1.2    PBGC performed numerous manual\n       reclassifications and adjustments to the\n       year-end premium balances generated by\n       PAS.\n\n       PAS premium related accounts reflect all activity dating back to the inception of PAS\nin 1994. PAS accounts are not reset at fiscal year-end. To arrive at final balances, PBGC is\nrequired to perform numerous manual adjustments, validity testing, and reclassifications\nbetween single employer and multiemployer funds. This current methodology is a complex\nand inefficient process that will continue to become more burdensome with the passage of\ntime. Such processes increase the possibility that misstatements could arise at both the\nsubsidiary system and financial statement level and not be detected.\n\n                                          Recommendation\n\nWe recommend the following corrective action:\n\n       Analyze the existing year-end processes surrounding PAS and identify improvements\n       that will reduce the necessity of manual adjustments, validity testing, and\n       reclassifications at year-end. (FOD-275)\n\n2.     COMPLIANCE WITH PBGC\xe2\x80\x99S POLICIES AND\n       PROCEDURES NEEDED STRENGTHENING.\n\n        An entity develops and implements policies and procedures to help provide order,\nensure consistency in processing among personnel, and provide guidance to new or\nreassigned personnel. Management also develops policies to help ensure compliance with\napplicable laws and regulations, to guide personnel in the implementation of internal\ncontrols, and to help prevent fraud, waste, or abuse from occurring and not being detected\ntimely. If policies and procedures are not followed, inconsistent or ineffective processing of\naccounting transactions may occur, resulting in possible errors or irregularities. We\nidentified the following instances of non-compliance with PBGC\xe2\x80\x99s policies and procedures:\n\n\n\n\n                                               7\n\x0c2.1    Core documentation was not maintained in\n       the participants\xe2\x80\x99 files in the Image\n       Processing System (IPS).\n\n          During our FY 1998 audit, we identified instances where participants\xe2\x80\x99 files in IPS did\nnot contain core documentation as required by the Insurance Operations Department (IOD)\nManual. The core documentation for participants in pay status and deferred vested\nparticipants includes the Trusteeship Notification Letter, General Information Sheet, Proof of\nAge, and Proof of Marital Status. We identified that several files of the participants in pay\nstatus were missing core documentation and the Initial Determination Letters (IDL). Our\ntesting also revealed that even fewer documents were maintained in the deferred vested\nparticipants\xe2\x80\x99 files. In addition to the lack of core documentation, we noted instances of non-\ncompliance with policies and procedures related to issuance of the trusteeship notification\nletter (i.e., 4042 letter). We also noted that several files for deferred vested participants were\nmissing in IPS.\n\n        The IOD Manual does not require retention of all source documentation obtained at\nthe participant data audits. As of FY 1996, auditors responsible for participant data audits\nwere instructed not to retain source documents that were obtained from prior sponsors of\nterminated plans. These documents were used to build the participant database and\ncalculate benefit payments. According to the IOD Manual, only source documents for a\nsample of participants in each plan are retained. This practice results in conflicts between\nthe IOD Manual provisions that require completeness of the participants\xe2\x80\x99 files and, at the\nsame time, does not require maintaining source documentation already obtained from the\nprior plan sponsors. It may also create inefficiencies in the data gathering process when the\nsame participant information might be requested for the second time.\n\n        Absence of the appropriate source documentation in the participants\xe2\x80\x99 files and delays\nin creating participants\xe2\x80\x99 files in IPS could jeopardize the integrity of the calculation of the\nbenefit payments and Present Value of Future Benefits (PVFB) liability amounts. It also\ncauses a disruption of a clear audit trail, making it difficult to undertake an independent\nconfirmation of the validity of participant data.\n\n                                      Recommendation\n\nWe recommend the following corrective actions:\n\n       Enforce existing IOD policies and procedures requiring that participants\xe2\x80\x99 files contain\n       complete information critical for the benefit payments and the PVFB liability\n       calculation. (IOD-169)\n\n       Modify existing IOD procedures to require retention of source documentation generated\n       as a result of the participant data audits and used to calculate benefit payments and\n       value the PVFB liability. (Disagreed-1)\n\n\n                                                8\n\x0c2.2    Inconsistencies existed among the FBAs in\n       reinstating participants into pay status.\n\n        Our FY 1998 testing of internal control at FBAs indicated that inconsistencies existed\nin reinstating participants taken out of pay status due to death notifications. One FBA\nrequired that participants submit a notarized statement to verify that participants were alive\nwhile another FBA reinstated participants after a telephone verification. This condition\noccurred due to the lack of specific policies and procedures related to verifying participants\xe2\x80\x99\ninformation prior to reinstating them into pay status. Lack of such procedures may lead to\nthe situation when not enough evidence is obtained to mitigate the risk of fraud that benefit\npayments are paid to unauthorized individuals.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       Develop, implement, and enforce consistent procedures for reinstating participants into\n       pay status. (IOD-170)\n\n2.3    Compliance with policies and procedures\n       related to the plan documentation\n       maintenance should be strengthened at\n       PBGC.\n\n       IOD\xe2\x80\x99s policies and procedures set forth certain maintenance requirements for\npreserving plan documents and other related information at FBAs and the headquarters.\nOur FY 1998 testing identified across-the-board non-compliance with many of these policies\nand procedures. Though we found that plan files of the recently terminated plans were\nbetter maintained, improvements in enforcing these policies and procedures are still critical.\nWithout enforcement and compliance, there is a risk that PBGC would not be able to\nsubstantiate certain valuations or decisions related to plan termination and administration.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       Enforce policies and procedures related to the maintenance of plan file documentation\n       at the FBAs and headquarters. (IOD-171)\n\n\n\n\n                                              9\n\x0c2.4      Premium Compliance Review (PCR)\n         procedures were not followed consistently.\n\n        Independent review and approval are an integral part of any effective internal control.\nOur FY 1998 testing identified several instances where PBGC failed to approve or complete\ncertain procedures related to PCR, mainly performed by PBGC\xe2\x80\x99s contractors. Specifically,\nPBGC\xe2\x80\x99s Premium Audit and Investigation Branch (PAIB), which is in charge of performing\nPCRs, failed to:\n\n\xe2\x80\xa2     approve several completed reviews;\n\xe2\x80\xa2     complete the required portions of the audit program, including PCR Checklist;\n\xe2\x80\xa2     approve deviations from the standard audit program;\n\xe2\x80\xa2     formally document reasons for review termination prior to completion;\n\xe2\x80\xa2     identify an improper waiver by a contractor of amounts due to PBGC; and\n\xe2\x80\xa2     identify inconsistent applications of documentation policies on behalf of contractors.\n\n      Lack of proper review or approval of PCR results increases the possibility that errors\nmay go undetected and lead to misstatements in the financial statements.\n\n                                       Recommendation\n\nWe recommend the following corrective actions:\n\n         Require all premium compliance reviews to be performed, documented, and approved in\n         accordance with PBGC\xe2\x80\x99s Premium Compliance Review Procedures Manual. (FOD-276)\n\n         Develop and implement formal procedures for closing premium compliance reviews in\n         progress prior to completion. (FOD-277)\n\n2.5      Amounts due to PBGC were not posted to PAS\n         timely.\n\n        PCR work may result in an accrual of premiums receivable, followed by settlements\nand collections. Our FY 1997 testing identified the lack of a documentation link between\nPCR findings and PAS. In FY 1998 testing, we found that a link was created; however, the\ndollar amounts identified as due to PBGC were not posted to PAS timely. If the receivable\namounts are not posted to PAS timely, there is a risk that the collection of these amounts is\nnot properly tracked thus reducing the effectiveness of PCR and causing misstatements in\nPBGC\xe2\x80\x99s financial statements. This condition and the resulting recommendation have been\npreviously identified by the OIG\xe2\x80\x99s report, Inspection of PBGC\xe2\x80\x99s Premium Compliance Program\n(97-6/23102-3), issued August 7, 1997.\n\n\n\n                                                10\n\x0c                                       Recommendation\n\nAs identified in the OIG report, the following corrective action is recommended:\n\n         Develop and implement accounting procedures for recording the results of PCR into PAS\n         at the point the debt is determined. (FOD-227)\n\n2.6      PBGC\xe2\x80\x99s information technology control policies\n         and procedures have not been updated to reflect\n         the recent migration to a client-server\n         environment.\n\n        The policies and procedures contained in the draft Information Resources\nManagement Department (IRMD) Change Management document that formalizes the process\nused by PBGC to report, record, and approve changes to systems and application software\nneed to be expanded to include the change management process related to the client-server\nenvironment. In conjunction with the Systems Development Life Cycle methodology,\nchange management within the development and maintenance environment is a significant\ncontrol. As PBGC\xe2\x80\x99s information technology environment has undergone transition from the\nmainframe to the client-server environment, the Change Management policies have not been\nmodified to reflect this migration. As defined in the Office of Management and Budget (OMB)\nCircular A-127, management is responsible for defining a system development methodology,\nincluding a controlled approach to maintain and support these systems during\nimplementation and operational status. The enhancements to the change control process\nshould include:\n\n\xe2\x80\xa2     change management process for modifications to security and database settings in the\n      client-server environment;\n\xe2\x80\xa2     security requirements during the change control process;\n\xe2\x80\xa2     impact analysis including assessment of changes and identification of affected data\n      elements; procedure to be followed to control the transfer of configuration elements\n      between development, test, and production environments; and\n\xe2\x80\xa2     source code version control.\n\n        PBGC contracts with third-party vendors or contractors for ongoing assessments of\nits business applications for certification and accreditation purposes, thereby assisting\nmanagement with compliance to the FMFIA requirements. However, PBGC has not\nestablished the criteria for assessing business and information technology risks to be used by\nthese contractors as benchmarks for their work. Such criteria should include:\n\n\xe2\x80\xa2     identification of sensitive or critical resources in conjunction with information owners,\n      business, and technical staff;\n\xe2\x80\xa2     quantification of risks and standardization of risk categories;\n\xe2\x80\xa2     selection of cost-effective information controls;\n                                                11\n\x0c\xe2\x80\xa2     performance of risk assessments; and\n\xe2\x80\xa2     risk acknowledgment where management determines it is impractical, inefficient, or not\n      cost-effective to implement a recommended control.\n\n                                      Recommendation\n\nWe recommend the following corrective actions:\n\n         PBGC needs to enhance the change control process used in maintaining and supporting\n         its application systems and include it as part of the overall System Development Life\n         Cycle currently being developed. (IRMD-108)\n\n         PBGC needs to develop and formalize criteria for assessing business and information\n         technology risks that can be used internally and for contractors performing\n         independent reviews. (IRMD-109)\n\n3.       CONTROLS OVER THE PRISM APPLICATION\n         WERE NOT ADEQUATE.\n\n        PBGC\xe2\x80\x99s long-term ability to provide timely benefit payments to participants of\nterminated pension plans and to prepare reliable financial statements is significantly\ndependent on its effectiveness in managing accurate and complete participant records. Prior\nto FY 1998, PBGC\xe2\x80\x99s custodian bank, SSB, maintained and managed participant data for\nPBGC. During FY 1998, PBGC implemented PRISM, a new in-house database and\ninformation management system, and assumed control over participant information.\nParticipant records were converted from the pay-based SSB database, Pension and Lump\nSum System (PLUS), to the customer-based PRISM database (Genesis). While PBGC has\ndesigned and placed in operation many important monitoring and information technology\ncontrols over the PRISM database and applications, our FY 1998 audit identified areas where\nthese controls could be strengthened to reduce risks associated with the benefit payment\nprocess and participant record integrity.\n\n       Below, Section 3 discusses findings and recommendations for improvements in\ncontrols surrounding the PRISM application that constituted the basis for the third\nreportable condition included in our FY 1998 Independent Accountants\xe2\x80\x99 Report on Internal\nControl (99-7/23132-2).\n\n3.1     Data Integrity and Processing\n\n       Audit procedures performed on participant records maintained in PRISM (Genesis)\nidentified the following participant data integrity and processing issues:\n\n\n\n\n                                               12\n\x0c3.1.1 Participant records did not always agree to\n      or were missing proper source\n      documentation in IPS.\n\n        During our FY 1998 testing of the data generated from the PRISM database, we noted\nnumerous instances where data maintained in PRISM did not agree to or was not supported\nby information in IPS. Specifically, the following instances were noted:\n\n\xe2\x80\xa2   IPS did not always contain documentation to support the participant\xe2\x80\x99s deceased status;\n\xe2\x80\xa2   The bank account numbers in PRISM were not always in agreement with or were not\n    supported in IPS;\n\xe2\x80\xa2   The benefit cutback amounts in PRISM did not always match the benefit cutback\n    amounts indicated by IDL in IPS;\n\xe2\x80\xa2   Key dates in PRISM (e.g., date of birth, date of hire) were not always in agreement with\n    the supporting documentation in IPS;\n\xe2\x80\xa2   The lump sum payment to participants, who received monthly and lump sum payments,\n    were not always supported in IPS;\n\xe2\x80\xa2   Some large lump sum payments were not supported in IPS to substantiate calculations\n    and reasons for such payments; and\n\xe2\x80\xa2   Some participants\xe2\x80\x99 files were missing in IPS.\n\n        These instances occurred due to data entry errors, lack of follow-up with participants\nor their relatives, delays in issuing adjusted IDLs to participants, and failure to image\nsupporting documentation. In order to value correctly its liabilities, PBGC needs to maintain\nadequate and accurate participant information. If the information in the PRISM database is\nnot complete and accurate, there is a possibility that the PVFB liability and participant\nbenefit calculations could be misstated.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       Enforce policies and procedures that require participants\xe2\x80\x99 records in PRISM contain\n       information that is adequately supported in IPS. (IOD-172)\n\n3.1.2 Participant data were not always input into\n      PRISM timely.\n\n        During our testing at one of the FBAs, we noted instances where beneficiary\ninformation for several participants who had made a joint and survivorship election was not\ninput in PRISM timely thus jeopardizing the accuracy of data in the participants\xe2\x80\x99 records. In\naccordance with the policies and procedures, as specified in the IOD Manuals, accurate\nparticipants\xe2\x80\x99 data is an important element of PBGC\xe2\x80\x99s financial statements, as PRISM provides\ndata used to value the PVFB. Beneficiary information was not input into PRISM timely due\n                                             13\n\x0cto a miscommunication between the FBAs and the PRISM team at the headquarters. If\nbeneficiary information is not entered timely into participants\xe2\x80\x99 records, the PVFB liability for\nthese participants could be misstated.\n\n                                      Recommendation\n\nWe recommend the following corrective action:\n\n       Enforce existing policies and procedures related to the information that should be\n       captured by FBAs in the participants\xe2\x80\x99 records in PRISM. (IOD-173)\n\n       Maintain an adequate audit trail of decisions affecting the integrity of participants\xe2\x80\x99\n       data. (IOD-174)\n\n3.1.3 Erroneous duplicate participant records\n      were found in PRISM.\n\n        During our testing of the PRISM database, we noted instances of erroneous duplicate\nparticipant records. Duplicate participant records were created in PRISM at the time of\nconversion from PLUS. PBGC invested significant efforts into resolving the problem;\nhowever, erroneous duplicate records still existed in PRISM at year-end. This situation\ncaused a year-end adjustment to the PVFB liability. Additionally, we noted that some of the\nduplicate records had payment ledgers established under both records. It is important for\nPBGC to ensure that erroneous duplicate participant records are not maintained in PRISM.\nThis control should eliminate the potential risk of invalid payments to participants and the\nrelated misstatement of the PVFB liability on PBGC\xe2\x80\x99s financial statements.\n\n                                      Recommendation\n\nWe recommend the following corrective action:\n\n       Delete invalid duplicate participant records in PRISM and implement necessary controls\n       to prevent the creation of duplicate records in future processing. (IOD-175)\n\n3.1.4 Data processing errors occurred in PRISM.\n\n        During our testing we noted instances when data processing errors caused\nsubstantial delays in input and duplicate input of financial information such as benefit\npayment credits. Specifically, we identified several instances when returned checks,\nrecoupments of overpayments to deceased participants, and payments to participants issued\nvia special checks were properly credited to the participants\xe2\x80\x99 records in PLUS at SSB but were\nnot reflected in PRISM. We also noted instances when the same checks were credited twice in\nthe participants\xe2\x80\x99 records in PRISM.\n\n\n\n                                               14\n\x0c       In addition, we identified instances when data processing errors in PRISM resulted in\nerroneous benefit payments to participants via special checks. We identified a special check\ntransaction for an unusually large amount that was processed in error and paid in the\nDecember 1997 check run. At that time, the system allowed creation of multiple payment\nrecords via special checks for the same participant. When PBGC identified the processing\nproblem, a unique payment ID was added to enhance the control over special check\nprocessing. However, to prevent reoccurrence, an improvement is needed in related controls\nsuch as reconciliation to minimize the risk of this error reoccurring.\n\n                                    Recommendation\n\nWe recommend the following corrective actions:\n\n       Apply transactions to participants\xe2\x80\x99 records in PRISM properly and timely. (IOD-176)\n\n       Properly authorize special check payments in accordance with authorization thresholds\n       established by PBGC. (IOD-177)\n\n3.2    Policies and Procedures\n\n        Although PBGC has begun updating the existing policies and procedures to address\nPRISM-related changes in information processing, we identified instances where important\ncontrol procedures were not performed adequately or were not documented in sufficient\ndetail.\n\n3.2.1 Reconciliations between projected benefit\n      payments and actual disbursements were\n      not performed timely or sufficiently\n      documented.\n\n        Reconciliations between projected benefit payments as reported by the PRISM\nBalancer module and actual disbursements made by SSB represent an important internal\ncontrol over the benefit payment process. Balancer module is designed to compare the\nprojected benefit payment amounts according to PRISM database with the actual payment\nledgers generated by SSB and permits the system administrator to resolve discrepancies and\ndocument their resolution in the database. Balancer, which was not operational for several\nmonths after the system implementation in October 1997, started producing reports\nnecessary to perform such reconciliations late in FY 1998. However, the reconciliations were\nnot documented, the discrepancies between PRISM and SSB records were not resolved\ntimely, and did not contain evidence of the supervisory review and approval. This condition\nwas caused by lack of formal reconciliation procedures, including clearly defined\naccountability requirements.\n\n\n\n\n                                             15\n\x0c       Without a proper reconciliation between what PBGC has authorized for payment and\nwhat SSB disbursed to participants, controls are compromised. Erroneous payments issued\nby SSB may not be detected by PBGC and unauthorized transactions could be erroneously\npaid on behalf of PBGC. Additionally, if reconciling items are not resolved timely, errors may\noccur and remain undetected in both databases.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       Develop and implement formal reconciliation procedures that require the reconciling\n       items between PRISM and PLUS records be resolved timely and their resolution be\n       sufficiently documented. (IOD-178)\n\n       Require formal managerial review and approval of reconciliations between PLUS and\n       PRISM. (IOD-179)\n\n3.2.2 Deathmatch control was not operational.\n\n        A significant data integrity control known as deathmatch was not operational in FY\n1998. The control enables PBGC to identify deceased participants and update PRISM\nrecords. In the past, deathmatch was performed regularly by SSB. PBGC took over this\nfunction in FY 1998, but, as of September 30, 1998, this procedure was not performed.\nPRISM has a Deathmatch module that is designed to compare the PRISM database against\nthe Social Security Administration (SSA) deceased participant records on a quarterly basis.\nIn FY 1998, this match was performed on a test basis. However, no verification letters were\nsent to the participants on the match list. If the deathmatch is not performed properly with\nappropriate follow-up, PBGC will be facing a risk that benefit payments may be made to\ndeceased participants.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       Implement the deathmatch controls. (IOD-180)\n\n3.2.3 Reconciliations of participants in assumed\n      plans were not formally documented or\n      were not performed.\n\n       In November 1997, PBGC assumed from SSB responsibility for converting plan records\nfrom the prior paying agents. In FY 1998, IOD conducted conversion of plan data manually\nbecause the PRISM Data Hub module was not operational. The Data Hub module is\ndesigned to load data for plans assumed by PBGC into PRISM (Genesis) database\n\n\n                                              16\n\x0celectronically. During FY 1998, we identified that no formal reconciliation was performed\nbetween prior paying agent payment records and manual loads in PRISM. IOD performed\ninformal verification to ensure that all participants in pay status have been loaded in\nPRISM. However, its results were not documented and there was no evidence of\nmanagement\xe2\x80\x99s review and approval. No reconciliations of the deferred vested participants\xe2\x80\x99\ndata in assumed plans were performed.\n\n       At the time of transition such as transferring the function from one entity to another,\na proper audit trail is essential to ensure that the processes can be reperformed and errors\ncan be corrected timely. Without proper reconciliation and management\xe2\x80\x99s review and\napproval of such reconciliation, participant information could be missing or entered\nincorrectly.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n      Establish a formal reconciliation process for the plans assumed from the prior paying\n      agents whereby reconciliations are reviewed and approved by an appropriate level of\n      management. (IOD-181)\n\n3.3    Segregation of Duties\n\n        Segregation of duties, as a control, establishes an environment in which no single\nindividual is given the ability to initiate, create, modify, and delete data. If management\nestablishes such an environment, adequate monitoring capabilities should be implemented\nto allow for an independent review of an individual\xe2\x80\x99s actions.\n\n3.3.1 PBGC assigned the PRISM development team\n      duties that did not adequately promote a\n      controlled development environment.\n\n       During fiscal year 1998, the PRISM development team performed functions that\nwould not be considered compliant with a properly controlled environment, as defined by\nbusiness best practice and OMB A-130. In addition to the on-going development of the\napplication modules, the team members were assigned the responsibility for the database\nconversion and implementation of the system into production, as well as error correction,\nmaintenance, support, and database administration of both the development and\nproduction environments. Although PBGC is in the process of reassigning responsibilities for\nthe maintenance and support of PRISM, this issue of controlling the two separate\nenvironments, development and production, was not addressed as of September 30, 1998.\n\n      During fiscal year 1998, there were no monitoring controls in place that would enable\nPBGC to detect potential unauthorized data modifications caused by an inadequate\n\n\n                                              17\n\x0csegregation of duties. While PRISM contains an authorization log and an audit trail for each\ntransaction, there were no formal reports produced for independent review, nor were there\nspecific policies and procedures requiring supervisory review of such reports. Monitoring\ncontrols and an adequate segregation of duties between development and production\nfunctionality would strengthen the system development and change control process, thereby\nreducing the risk of unauthorized modifications to data or system resources.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       PBGC should include in its development of a formal systems development life cycle\n       methodology policies and procedures that address adequate controls for the\n       segregation of functions performed in the development and production environments.\n       (IRMD-110)\n\n       PBGC should include in its development of a formal systems development life cycle\n       methodology policies and procedures that implement and enforce adequate monitoring\n       controls for significant activities performed by individuals and/or systems.\n       (IRMD-111)\n\n3.3.2 PBGC assigned operational and security\n      responsibilities to one individual without\n      implementing adequate controls to monitor\n      activity.\n\n     During fiscal year 1998, one individual was assigned excessive functionality for both\nPRISM application security and operational responsibilities. These responsibilities included:\n\n\xe2\x80\xa2   Granting access to individuals for entering and approving financial data;\n\xe2\x80\xa2   Re-routing financial transactions to alternate approval queues;\n\xe2\x80\xa2   Approving financial transactions not previously approved timely by authorized\n    individuals; and\n\xe2\x80\xa2   Performing certain financial reconciliations.\n\n        Financial reconciliations performed by this individual included (a) reconciliations\nbetween projected benefit payments as reported by PRISM and actual disbursements made by\nSSB in PLUS and (b) reconciliations between benefit funding requests approved by PBGC and\nbenefit payments disbursed by SSB.\n\n        During our testing, we noted that in FY 1998 there was a lack of monitoring controls\nin place that would enable PBGC to detect potential unauthorized data modifications due to\nthis individual having the authority to initiate, create, modify, and delete data. For example,\nwe found that both types of financial reconciliations did not contain evidence of\n\n\n                                              18\n\x0cthe supervisory review and approval. The lack of adequate controls to monitor the overlap\nof responsibility assigned to one individual increases the risk that unauthorized activity may\noccur and not be detected in a timely manner.\n\n                                     Recommendation\n\nWe recommend the following corrective action:\n\n       PBGC should implement policies and procedures that would control the assignment of\n       excessive responsibilities, including the development of adequate monitoring of\n       activities performed by individuals and/or systems. (IOD-182)\n\nStatus of Prior Year Findings and Recommendations\n\n       While we recognize that the Corporation has put forth considerable efforts to\nimplement policies and procedures to mitigate or otherwise resolve the findings reported in\nour FY 1993 to FY 1996 audit reports (OIG Audit Report Numbers 94-1/23069-2, 94-\n7/23079-2, 95-7/23083-2, 96-9/23093-3, and 97-4/23110-2), as of September 30, 1998, a\nnumber of findings and related recommendations had yet to be completed and implemented.\n\n        The following schedule identifies the status of the 28 recommendations that were\noutstanding as of September 30, 1997. Follow-up of prior year findings and\nrecommendations was performed, in part, to determine the nature, timing, and extent of the\ncurrent year\'s audit procedures. The status was determined through review of management\'s\nresponses to the OIG\'s semi-annual report of audit recommendations, additional audit\ntesting performed, and discussions held with the appropriate management personnel. The\nstatus of these prior-year findings is as of September 30, 1998, and may not necessarily\nrepresent the status as of the date of the issuance of this report. The \xe2\x80\x9cstatus\xe2\x80\x9d category of\neach prior-year finding corresponds to the categories as used by the OIG in the Semiannual\nReport of Follow-up of Audit Recommendations, defined as follows:\n\n\xe2\x80\xa2   Completed -- The OIG concurs with PBGC management that the recommendation had\n    been implemented. Therefore, this recommendation will no longer be tracked by the OIG\n    and reported in future Semiannual Reports on Follow-up Audit Recommendations.\n\n\xe2\x80\xa2   Initiated, Not Completed -- Steps have been taken by PBGC management to implement\n    the recommendation. However, further actions are still needed by PBGC to implement\n    the recommendation. Therefore, this status of the recommendation will continue to be\n    tracked by the OIG.\n\n\xe2\x80\xa2   Not Initiated -- No steps have been taken by PBGC management to implement the\n    recommendation. Therefore, this status of the recommendation will continue to be\n    tracked by the OIG.\n\n\n\n                                             19\n\x0c  OIG\nControl    Status of Prior Year Findings and Recommendations As of              Status as of\nNumber                            September 30, 1998                        September 30, 1998\n\n\n\n                                       Fiscal Year 1996\n\nFOD-216    Controls surrounding PAS require improvement.                         Completed\nFOD-217                                                                    Initiated, Not Completed\nFOD-219                                                                          Completed\n\n\nFOD-259    PBGC did not always maintain a proper audit trail to support    Initiated, Not Completed\nFOD-261    the component line items presented in the Corporation\xe2\x80\x99s               Completed\nIOD-141    financial statements or the underlying controls related to      Initiated, Not Completed\n           financial reporting.\n\n\nFOD-263    PBGC personnel did not always comply with PBGC policies and     Initiated, Not Completed\nFOD-264    procedures.                                                     Initiated, Not Completed\nFOD-265                                                                          Completed\nFOD-266                                                                          Completed\nIOD-142                                                                          Completed\n\n\nIOD-143    Participant data maintained on PLUS did not always agree to     Superseded by IOD-151\n           the supporting documentation maintained by PBGC.\n\n\nIOD-144    Develop procedures to implement PBGC\xe2\x80\x99s policy to conduct an     Initiated, Non Completed\n           expense assumption study on a predetermined schedule or\n           when certain conditions (economic or political) exist to\n           determine the reasonableness and validity of this assumption.\n\n\n OED-9     Develop and document a formal methodology for calculating       Initiated, Non Completed\n           the general unidentified single-employer probable contingency\n           reserve based on an analysis of related industry trends and\n           historical information.\n\n\nFOD-267    Develop and implement procedures to validate single-employer          Completed\n           data reported on the Form 1.\n\n\n                                     Fiscal Year 1995\n\nFOD-193b   Develop and follow a formal systems development life cycle      Superseded by IRMD-92\n           methodology on all subsequent system acquisition or\n           development projects.\n\n\n\n\n                                              20\n\x0c  OIG\nControl   Status of Prior Year Findings and Recommendations As of                Status as of\nNumber                          September 30, 1998                           September 30, 1998\n\n\n\nFOD-195   Explanations for changes to the reasonably possible                     Completed\n          contingency inventory list of plans were not always documented\n          or supported by a Contingency Classification Form A.\n\n\nIOD-137   Reconciliations of the number of benefit checks processed by      Initiated, Not Completed\n          SSB and its contractor are not always performed or\n          adequately supported.\n\n\nIRMD-75   PBGC has not formally documented its policies and procedures      Initiated, Not Completed\nIRMD-76   related to computer program changes.                              Initiated, Not Completed\n\n\nIRMD-80   Access to the mainframe security system is not adequately               Completed\nIRMD-81   limited.                                                          Initiated, Not Completed\n\n\nIRMD-83   Several generic user IDs were found in the system.                      Completed\n\nIRMD-84   The Corporation\xe2\x80\x99s disaster recovery plan does not include local   Initiated, Not Completed\n          area networks.\n\n\n                                   Fiscal Year 1994\n\nIOD-127   General controls surrounding the Integrated Present Value of      Initiated, Not Completed\nIOD-129   Future Benefits (IPVFB) Local Area Network (LAN) are              Initiated, Not Completed\n          inadequate.\n\n\n\n\n                                   Fiscal Year 1992\n\nIOD-67    PBGC did not always maintain adequate documentation to            Superseded by IOD-151\n          support the participant data residing on PLUS.\n\n\nIOD-66    Controls related to the input on non-financial participant data   Superseded by IOD-152\n          to PLUS are inadequate to ensure the veracity of the data\n          maintained therein.\n\n\n\n\n                                           21\n\x0c\x0c\x0c\x0c\x0c\x0c'